LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

SCIENTIFIC-LINUX-DEVEL Archives

May 2005

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-DEVEL Home
	SCIENTIFIC-LINUX-DEVEL May 2005

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: hotfixes (was SL 3.0.5 ? (and if: OpenAFS 1.2.13 ?))
From:	Shane Canon <[log in to unmask]>
Reply To:	Shane Canon <[log in to unmask]>
Date:	Tue, 24 May 2005 09:29:13 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (166 lines)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephan,

I've pasted the stand-alone version of the fix in this message.  Its
GPL'd, so I don't have to run this through the hoops.  It corrects the
bug by checking for the negative value that the exploit depends on.

The tricky part is getting the address for the elf binfmt structure,
since its not exported.  I assume System.map exist and grab it from
there.  This may not be true on your systems.

Regarding the other questions...

DKMS prefers to work with source trees, but you can create tarball
images for a specific kernel.  The hotfix framework includes skeleton
code for creating your own hotfix RPM.  The SPEC file includes a piece
for creating this tarball image as well.  So, if you had the source on
your build machine, you could create the tarball and distribute it with
the hotfix RPM.  However, you would have to create the tarball for every
versions of kernel you needed to repair.

I didn't think about an auto-download option, but its an interesting
idea.  It could be an additional yum component, since I would distribute
these as RPMs.

The method for determining if a fix is required is some what brain dead
right now.  I just rely on the date of the kernel and assume that after
a certain date, the bug must be fixed in the real kernel.  In other
words, if the kernel was created after 05/31/2005, then it must have the
fix already applied.  I can't think of a reliable way to test for the
need of a hotfix.  I think testing an exploit is too dangerous and a
script that grep's source code is to un-reliable.  If you have any
thoughts, let me know.

- --Shane

Here is the script to find the elf binfmt struct.

#!/bin/sh

grep elf_format /boot/System.map-${1}|awk '{print "#define ELF_FOR
0x"$1}' > config.h

Here is the kernel mod.

/*
 * Linux kernel module hotfix for elf core dump bug
 *
 * Author: Shane Canon <[log in to unmask]>
 *
 *
 * Copyright (c) 2005, The Regents of the University of California, through
 *   Lawrence Berkeley National Laboratory (subject to receipt of any
required
 *   approvals from the U.S. Dept. of Energy).  All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 *
 * Contact information:
 *
 * http://www.lbl.gov/
 *
 */

/*
 * Description: This module addresses a bug in the core handler for elf
 *              binaries.  In order to trap the condition, it replaces
 *              the handler in the binfmt structure for the elf format.
 */

#define KERNEL
#include <linux/config.h>
#include <linux/module.h>
#include <linux/types.h>
#include <linux/errno.h>
#include <linux/kernel.h>
#include <linux/binfmts.h>
#include <linux/sched.h>
#include <asm/semaphore.h>
#include <linux/smp_lock.h>
#include "config.h"

MODULE_LICENSE("GPL");
struct linux_binfmt *elf_format = (struct linux_binfmt *)ELF_FOR;

static int (*elf_core_orig)(long signr, struct pt_regs * regs, struct
file * file);

static int elf_core_wrapper(long signr, struct pt_regs * regs, struct
file * file){
        if ( (int)(current->mm->arg_end - current->mm->arg_start)<0){
                printk("Error: %d tried to core dump with bad
args\n",current->pid);
                return 0;
        }
        else if (elf_core_orig == NULL)
                return 0;
        else
                return elf_core_orig(signr,regs,file);
}

int init_module(void) {
        printk("elf core hotfix module loading\n");
        lock_kernel();
        elf_core_orig=elf_format->core_dump;
        elf_format->core_dump=elf_core_wrapper;
        unlock_kernel();
        return 0;
}

void cleanup_module(void) {
        lock_kernel();
        elf_format->core_dump=elf_core_orig;
        unlock_kernel();
}

Stephan Wiesand wrote:
> Hi Shane,
> 
> On Mon, 23 May 2005, Shane Canon wrote:
> 
> 
> I have written a kernel module hotfix for the elf core bug.  If you are
> interested in it, let me know.
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCk1ZZZd/2zrI5CioRAtbIAJ9VzHBMsbAhJA83j03MgXtAIJ/OCACdGCPQ
kovg8iDR7wGj561ZwThlcgI=
=q0m5
-----END PGP SIGNATURE-----

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV